1

I have a test network setup based on virtual machines. My host machine, a web server and the firewall is under the 192.168.0.0/24 network (gateway is 192.168.0.1); a server machine is located behind the firewall on the 10.40.1.0/24 network (firewall eth1 is its gateway with IP 10.40.1.1). Please note that the firewall has no rules at this point.

How can I use nmap to detect/scan the server behind the firewall on the 10.40.1.0/24 network?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Aion
  • 111
  • 2
  • Is your firewall on the 192.168 subnet actually a NAT router handling traffic for the 10.40 subnet? If so, it is more than a firewall. – Jeff Meden May 14 '15 at 11:38
  • Yes, the 10.40 subnet uses the firewall to access the internet and the firewall has a NAT role when it comes to directing traffic inside de subnet. – Aion May 14 '15 at 11:51
  • If you can access the web server from a network, so can the nmap. If you are asking about the specific switches for Nmap, you can start at https://nmap.org/book/man.html – void_in May 14 '15 at 14:18

2 Answers2

1

The NAT software running on the Firewall system is going to block all inward traffic that doesn't match a current egress session or a port forwarding rule. If no port forwarding rules are in place, then the server behind the NAT is as good as invisible, barring compromises to the firewall.

Jeff Meden
  • 3,966
  • 13
  • 16
1

How to detect if you are behind a PNAT:

nping --ec "public" -c 1 echo.nmap.org (CAPT-labelled packet gives away the PNAT address)

If you test the external side of the firewall, you could use the bnat modules from the Metasploit Framework in order to route traffic through the broken implementation of NAT.

There is also a vulnerability in some firewalls that leads to a bypass, detectable from an Nmap script -- https://nmap.org/nsedoc/scripts/firewall-bypass.html.

atdre
  • 18,885
  • 6
  • 58
  • 107